Mostly correct or at least correct enough. Tor traffic is not consistent with normal internet traffic but it isn't inconsistent with SSL considering it uses SSL . That is just semantics though. DPI is pretty much the state knowing the contents of snail mail by opening it up and looking in it, but the spirit of what you said is correct. You should probably use at least two bridges but not more than three. Attackers don't need to do timing attacks at the exit node to see what you are doing, they need to do timing attacks at the entry and exit to correlate the traffic and link you to your destination though. Technically connections to hidden services are just as vulnerable to timing attacks as websites on the clearnet are, although it might be slightly more difficult for an attacker to know they are watching the entry node of a hidden service. If you run a Tor node and want to see if you are the entry guard for a given hidden service it is really easy, you can just send the hidden service a stream of packets with some pattern of modulation down a few dozen circuits and then see if you detect any streams with the same modulation passing through your relay and to a non Tor node IP address. Likewise it is easy for a passive attacker to determine if a node they are monitoring is the entry guard for a given hidden service, in the same exact way. It is also easy to trace hidden services up to their entry guards with that active attack from 06, although there are ways to greatly slow down that attack. In fact your DNS servers could go down and you can still access clearnet websites with Tor since it identifies relays by IP address only and uses the same DNS servers as the exit node on your circuit.